( Cyber S ecurity A uthorization and A uthentication F ramework for the E nterprise )
DevSecOps and a Zero Trust Architecture (ZTA) are Essential Partners
Your security posture really is a continual process and not a series of products to achieve an end goal. We point you to a series of recommended processes, best practices, and products designed to work together.
At the heart of our Zero Trust Strategy for applications is our flagship product, XtremeCloud Single Sign-On (SSO) . It enables very strong authentication, provides a point of integration for device security, and it is the core of any agency's user-centric policies to guarantee least-privileged access. We provide Conditional Access capabilities with a Policy Decision Point (PDP) for fine-grained authorization access to resources based on user identity, environment, device health, and risk. These are verified at the point of access with our Policy Execution Points (PEP).
Continuing the theme of Zero Trust Strategy is the bundling of Aspen (Istio) Mesh with our XtremeCloud SSO product. We do not bake in the burdensome details of TLS/SSL encryption, or consume valuable CPU cycles conducting cryptographic operations, in our XtremeCloud SSO containers. The highly-efficient FIPS 140-2 compliant Istio Service Mesh sidecar runs in the same pod as our SSO containers, providing encrypted service-to-service traffic in the Istio data plane. The interconnected set of proxies in a Service Mesh that control the inter-services communication represents its data plane.
Istio tunnels the service-to-service communication through the client-side and the server-side Policy Execution Points (PEPs), which are implemented as Envoy proxies. When a workload sends a request to another workload using mutual TLS authentication (mTLS), the request is handled as follows:
Istio re-routes the outbound traffic from a client to the client's local Envoy sidecar.
The client side Envoy starts a mutual TLS handshake with the server-side Envoy. During the handshake, the client-side Envoy also performs a secure naming check to verify that the service account presented in the server certificate is authorized to run the target service.
The client-side Envoy and the server-side Envoy establish a mutual TLS connection and Istio forwards the traffic from the client to the server. We refer to this as the service mesh data path.
Following authorization, the server-side Envoy forwards the traffic to the server service through local TCP connections, also known as the local loopback.
We'll also work with you to lessen the burden of digital certificate management, for your services or hosts, through integration with Let's Encrypt.
We have left-shifted the security at both compile time and at run-time with Kubernetes Cluster security checks of running pods, run-time policy checks of attempted access within and external to the Kubernetes Clusters , and continuous Docker image scanning for common vulnerabilities and exposures (CVE) using Quay.io.
As an open source provider, our wide use of open source components mandates a complete and thorough vulnerability and exposure scanning at source code compile time and subsequent Docker images builds of our Active-Active multi-cloud applications or our single cloud applications.
Additionally, for Risk Assessment purposes, all of our supported Docker images that we deliver are continuously scanned for Common Vulnerabilities and Exposures (CVE). Our Docker images are only built with carefully-controlled Red Hat Universal Base Images (UBI), providing a strong foundation using Red Hat software. When new vulnerabilities or exposures are identified, we will proactively alert your team and assist you by providing an updated image from our Eupraxia Labs Container Catalog (ELCC) on Red Hat's Quay.io registry .
For your convenience, we have scanned open source base images you can use to build your own Docker images that include the Red Hat Universal Base Image (UBI), already configured with OpenJDK. Take a look:
We also shift left in the CI/CD cycle by deploying advanced security in your Kubernetes Clusters using Kubescape, with hardening guidance provided by NSA and CISA.
Our CyberSAAFE Continuum umbrella of solutions provides a series of applications distributed across multiple Cloud Service Providers (CSP), hybrid, or an on-premise private cloud that:
Includes a world class Identity and Access Management (IAM) product - XtremeCloud Single Sign-On (SSO) that also protects its own microservices endpoints with OAuth2 flows, as well as any third-party or homegrown APIs. With our latest 4.0 release of XtremeCloud SSO, we support FIDO2 and WebAuthN to allow passwordless logins. Strong authenticators like Windows Hello, Apple TouchID, and the Yubico Yubikey are fully supported.
Includes relational databases that provide bi-directional replication (BDR) Active-Active multi-master replication (MMR) - XtremeCloud Data Grid-db with data-at-rest security provided by the Cloud Service Providers (CSP) with Hardware Security Modules (HSM).
Provides a transport-level secure XtremeCloud Data Grid-web for fully distributed and replicated caches.
Provides an Active-Active Lightweight Directory Access Protocol (LDAPv3)-based directory user store that provides: application settings, user profiles, group data, policies, and access control information - XtremeCloud Data Grid/LDAP.
Provides integration with Microsoft Active Directory (AD) for federated user identity management.
Limits the actions a container can take by using AppArmor , a very effective Linux kernel security model (LSM) that is less complex than SELinux.
Provides CSP-based Kubernetes worker nodes that are hardened per Center for Internet Security (CIS) Guidelines and Benchmarks.
Provides a clean Kubernetes Cluster, using Kubescape, that dramatically reduces the surface attack vectors that can be exploited by malicious code that was inadvertently deployed to your cluster.
AppArmor in an Azure Kubernetes Services (AKS) Cluster.
Kubescape applying the National Security Agency (NSA) Framework
With our knowledge of the major Cloud Service Providers (CSP) including Microsoft Azure, Google Cloud (GCP), Oracle Cloud (OCI), IBM Cloud, and Amazon Web Services (AWS), we can provide you with, or assist you with, the myriad of multi-layer security capabilities that are available to you.